Preferred way to authorize 7pace app into Azure Devops environment (Oauth) need a write permission to user profile.
I wonder why 3rd party plugin need to write to user profiles in Azure Devops / Azure AD / Entra ID?
Please change it to read permission.
Oauth is one of the two authorization methods. The second method asks only for read permissions and still 7pace app work. It is also in the documentation. So technically it might be easy to introduce more security here.
-
Hi Petr,
yes, we get your point! The reason behind this lies in the fact that OAuth was initially implemented as our primary authorization method. This choice provided us with greater flexibility for future developments. When we introduced the new method utilizing PAT, we designed it with the understanding that full data access wouldn't be necessary. However, transitioning away from the current OAuth approach entails a substantial modification that could disrupt existing OAuth tokens. For this reason, we have hold back from making this change at this point.
May I ask about your specific need to use OAuth instead of PAT?
We will document your feedback for now and if there is an increasing demand for such changes, we will reassess our approach, but it is not currently on our immediate agenda.
Thank you for your understanding!
All the best, Nici -
Hi Nici,
OAuth connection method offers better user experience currently, we think. PAT has downsides:
- user needs to follow multi-step checklist to proceed. OAuth process is more straightforward.
- user needs to repeat that every year to re-generate the token (one-year is maximum validity at PAT). OAuth connector does not need regular repetition afaik.
We would prefer using Oauth over PAT for our usecase, if there would be same security as for PAT.
You can replace User.ReadWrite.All permissions for OAuth app permissions with User.Read.All (or User.Read), and perhaps your existing userbase will not be affected, only every newly connecting user will be presented with this lower rights in onboarding screen and able to grant them to your app. This way the security bar will be raised whilst not introducing problems for current/future users. But you will need to change the app to work with these lower permissions coming from OAuth, if it does not work with them already.
What do you think?
Thanks!
Petr
-
Hello Petr,
Thank you for your reply! I have consulted with our developers regarding the solution you proposed. This could potentially be feasible, but it will require some deeper investigation on our part to cover all our bases. Currently, our priorities lie elsewhere, but we will keep it in our backlog and try to investigate this further. We will revisit this issue as its demand increases and keep you updated accordingly.
All the best, Nici
Please sign in to leave a comment.
Comments
3 comments